U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*
There are 64 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2007-1001

Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.

Published: April 05, 2007; 8:19:00 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2007-1835

PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.

Published: April 02, 2007; 8:19:00 PM -0400
V3.x:(not available)
V2.0: 4.6 MEDIUM
CVE-2007-1825

Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.

Published: April 02, 2007; 7:19:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-1777

Integer overflow in the zip_read_entry function in PHP 4 before 4.4.5 allows remote attackers to execute arbitrary code via a ZIP archive that contains an entry with a length value of 0xffffffff, which is incremented before use in an emalloc call, triggering a heap overflow.

Published: March 29, 2007; 9:19:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-1717

The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte, which might allow context-dependent attackers to prevent intended information from being delivered in e-mail messages. NOTE: this issue might be security-relevant in cases when the trailing contents of e-mail messages are important, such as logging information or if the message is expected to be well-formed.

Published: March 27, 2007; 8:19:00 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2007-1718

CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro.

Published: March 27, 2007; 8:19:00 PM -0400
V3.x:(not available)
V2.0: 7.8 HIGH
CVE-2007-1700

The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.

Published: March 26, 2007; 9:19:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-1582

The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting certain functions in the GD (ext/gd) extension and unspecified other extensions via a userspace error handler, which can be used to destroy and modify internal resources.

Published: March 21, 2007; 7:19:00 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2007-1583

The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.

Published: March 21, 2007; 7:19:00 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2007-1376

The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.

Published: March 09, 2007; 7:19:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-1378

The ovrimos_longreadlen function in the Ovrimos extension for PHP before 4.4.5 allows context-dependent attackers to write to arbitrary memory locations via the result_id and length arguments.

Published: March 09, 2007; 7:19:00 PM -0500
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2007-1379

The ovrimos_close function in the Ovrimos extension for PHP before 4.4.5 can trigger efree of an arbitrary address, which might allow context-dependent attackers to execute arbitrary code.

Published: March 09, 2007; 7:19:00 PM -0500
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2007-1380

The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.

Published: March 09, 2007; 7:19:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2007-0905

PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir restrictions via unspecified vectors in the session extension. NOTE: it is possible that this issue is a duplicate of CVE-2006-6383.

Published: February 13, 2007; 6:28:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-0906

Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).

Published: February 13, 2007; 6:28:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-0907

Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.

Published: February 13, 2007; 6:28:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2007-0909

Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.

Published: February 13, 2007; 6:28:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-0910

Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.

Published: February 13, 2007; 6:28:00 PM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2006-4812

Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote attackers to execute arbitrary code via an argument to the unserialize PHP function with a large value for the number of array elements, which triggers the overflow in the Zend Engine ecalloc function (Zend/zend_alloc.c).

Published: October 10, 2006; 12:06:00 AM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2006-5178

Race condition in the symlink function in PHP 5.1.6 and earlier allows local users to bypass the open_basedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the open_basedir check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via .. (dot dot) sequences, and then unlinking the resulting symlink.

Published: October 10, 2006; 12:06:00 AM -0400
V3.x:(not available)
V2.0: 6.2 MEDIUM